쫑콩아빠의 지금 이 순간...

1.     get system performance status
-       현재 CPU & Memory, Traffic 사용량, Session수 및 Uptime 확인
2.     get system status
-       OS Version 및 Serial 정보 확인
3.     diag debug crashlog read
-       프로세서 Crash 내역 및 FortiGate의 주요 이슈 사항 확인
4.     diag log alertconsole list
-       관리자 계정 Login 실패 기록, 장비 재시작, 전원 off, FortiGuard 업데이트 내역 확인
5.     diag hardware device nic port1
-       해당 Port의 Speed/Duplex 및 Error확인 가능
6.     diag netlink device list
-       전체 Port에 대한 Error 확인
7.     get route info routing-table all
-       Routing Table 확인
8.     get sys arp
-       ARP Table 확인
9.     get system interface
-       Interface IP정보 확인

10. 기타
# excute tac report

# fnsysctl ls -l /dev/shm
# fnsysctl ls -l /tmp
# diagnose hardware sysinfo shm
# diagnose hardware sysinfo slab
# diagnose hardware sysinfo interrupt
# diagnose ip arp list
# diagnose ip rtcache list
# diagnose ip router command show show int
# diagnose ips anomaly list
# diagnose ips anomaly status
# diagnose ips dissector status
# diagnose ips packet status
# diagnose ips raw status
# get ips session
# diagnose sys session stat
# get system auto-update status
# get system auto-update versions
# diagnose test update info
# diagnose sys flash list
# fnsysctl df -k
# diagnose sys logdisk smart
# diagnose sys logdisk status
# diagnose sys ha status
# diagnose sys ha showcsum
# diagnose sys ha hadiff status
# diagnose sys ha dump-by all-vcluster
# diagnose sys ha dump-by rcache
# diagnose sys ha dump-by all-group
# diagnose sys ha dump-by memory
# diagnose sys ha dump-by vdom
# diagnose sys ha dump-by debug-zone
# diagnose sys ha dump-by kernel
# diagnose sys ha dump-by device
# get sys session-info statistics
# get system session-info ttl
# get system session-helper-info list
# diagnose netlink aggregate list
# diagnose netlink brctl list
# diagnose netlink device list
# diagnose firewall fqdn list
# diagnose firewall iplist list
# diagnose firewall ipmac list
# diagnose firewall ipmac status
# diagnose firewall iprope list
# get firewall proute
# diagnose firewall schedule list
# get system performance firewall statistics
# get router info routing-table all
# get router info routing-table database
# get vpn ipsec stats crypto
# get vpn ipsec tunnel details
# get vpn status ssl list
# get webfilter ftgd-statistics
# get webfilter status
# diagnose spamfilter fortishield statistics list
# diagnose spamfilter fortishield servers
# get hardware nic mgmt2
# get hardware nic mgmt1
# get hardware nic port32
# get test proxyacceptor 1
# get test proxyacceptor 4
# get test proxyworker 1
# get test proxyworker 4
# get test proxyworker 4444
# get test http 444
# get test http 11
# diagnose sys scanunit stats all
# get test urlfilter 10
# diagnose sys sip-proxy filter clear
# diagnose sys sip-proxy redirect list
# diagnose sys sip-proxy config list
# diagnose sys sip-proxy config profiles
# diagnose sys sip-proxy meters list
# diagnose sys sip-proxy stats proto
# diagnose sys sip-proxy stats call
# diagnose sys sip-proxy stats udp
# diagnose sys sip-proxy calls idle
# diagnose sys sip-proxy session list
# diagnose sys sccp-proxy stats list
# diagnose sys sccp-proxy phone list
# get test ipsmonitor 1
# get test ipsmonitor 3
# get test radiusd 5
# diagnose test application miglogd 6
# diagnose debug crashlog read

http://alstechcorner.blogspot.kr/2014/01/how-to-automate-fortigate-configuration.html

USERS-FW2 # config firewall ipmacbinding setting
USERS-FW2 (setting) # show full-configuration
config firewall ipmacbinding setting
set bindthroughfw enable
set bindtofw enable
set undefinedhost block
end

USERS-FW2 # config firewall ipmacbinding table
USERS-FW2 (table) # show full-configuration
config firewall ipmacbinding table
edit 1
set ip 10.10.10.100
set mac 00:e0:4c:50:22:f2
set name "sbbaek"
set status enable
next
end

USERS-FW2 # config system interface
USERS-FW2 (interface) # edit mgmt2
set ipmac enable
next
end

Fortigate SIP ALG / Fortinet SIP ALG

FortiOS has two features that can modify the SIP headers and SDP parameters. The first feature is called the “SIP Session Helper”. If you are experiencing one way audio issues disable this feature first, reboot your IP phone then try making another call. If disabling the session helper does not work, disable the SIP ALG as well.

To disable the sip session helper:

1 Enter the following command to find the sip session helper entry in the session-helper list:

show system session-helper

edit 10
 set name sip
 set port 5060
 set protocol 17

2 Enter the following command to delete session-helper list entry number 10 to disable the sip session helper:

config system session-helper
 delete 10

To disable the SIP ALG:

There are typically two VOIP profiles on a factory shipped Fortinet firewall. You may need to disable both profiles to fully stop the ALG.

config voip profile
 edit VoIP_Pro_2
 config sip
 set status disable
 end
 end

See the Fortigate Technical documentation page  for further details.

# Fortigate IPS DoS configuration Sample

Fortigate $ show ips DoS block_dos
config ips DoS
    edit "block_dos"
            config anomaly
                edit "tcp_syn_flood"
                    set status enable
                    set log enable
                    set action block
                    set threshold 100
                next
                edit "tcp_port_scan"
                    set status enable
                    set log enable
                    set action block
                    set threshold 100
                next
                edit "tcp_src_session"
                    set status enable
                    set log enable
                    set action block
                    set threshold 100
                next
                edit "tcp_dst_session"
                    set status enable
                    set log enable
                    set action block
                    set threshold 100
                next
                edit "udp_flood"
                    set status enable
                    set log enable
                    set action block
                    set threshold 100
                next
                edit "udp_scan"
                    set status enable
                    set log enable
                    set action block
                    set threshold 100
                next
                edit "udp_src_session"
                    set status enable
                    set log enable
                    set action block
                    set threshold 100
                next
                edit "udp_dst_session"
                    set status enable
                    set log enable
                    set action block
                    set threshold 100
                next
                edit "icmp_flood"
                    set status enable
                    set log enable
                    set action block
                    set threshold 100
                next
                edit "icmp_sweep"
                    set status enable
                    set log enable
                    set action block
                    set threshold 100
                next
                edit "icmp_src_session"
                    set status enable
                    set log enable
                    set action block
                    set threshold 100
                next
                edit "icmp_dst_session"
                    set status enable
                    set log enable
                    set action block
                    set threshold 100
                next
                edit "ip_src_session"
                    set status enable
                    set log enable
                    set action block
                    set threshold 100
                next
                edit "ip_dst_session"
                    set status enable
                    set log enable
                    set action block
                    set threshold 100
                next
            end
    next
end

Fortigate $ sh firewall interface-policy
config firewall interface-policy
    edit 1
        set interface "dmz"
            set srcaddr "all"
            set dstaddr "all"
            set service "ANY"
        set ips-DoS-status enable
        set ips-DoS "block_dos"
    next
end

## Default

Fortigate # show firewall DoS-policy
config firewall DoS-policy
    edit 2
        set interface "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set service "ALL"
            config anomaly
                edit "tcp_syn_flood"
                    set threshold 2000
                next
                edit "tcp_port_scan"
                    set threshold 1000
                next
                edit "tcp_src_session"
                    set threshold 5000
                next
                edit "tcp_dst_session"
                    set threshold 5000
                next
                edit "udp_flood"
                    set threshold 2000
                next
                edit "udp_scan"
                    set threshold 2000
                next
                edit "udp_src_session"
                    set threshold 5000
                next
                edit "udp_dst_session"
                    set threshold 5000
                next
                edit "icmp_flood"
                    set threshold 250
                next
                edit "icmp_sweep"
                    set threshold 100
                next
                edit "icmp_src_session"
                    set threshold 300
                next
                edit "icmp_dst_session"
                    set threshold 1000
                next
                edit "ip_src_session"
                    set threshold 5000
                next
                edit "ip_dst_session"
                    set threshold 5000
                next
                edit "sctp_flood"
                    set threshold 2000
                next
                edit "sctp_scan"
                    set threshold 1000
                next
                edit "sctp_src_session"
                    set threshold 5000
                next
                edit "sctp_dst_session"
                    set threshold 5000
                next
            end
    next
end

Fortigate #

Fortigate Port Restricted

## Dynamic source NAT without changing the source port (one-to-one source NAT)

# Problem

Some protocols or services will only function if they use a specific source port, or a source port that does not change. Normally source NAT changes the source port to allow multiple simultaneous sessions.

# Solution

You can select the fixed port option to restrict the FortiGate unit to not translate the source port. This results in a one-to-one NAT configuration. One-to-one NAT limits the number of simultaneous sessions that are supported because one variable for tracking sessions (the source port number) is no longer available. To allow more sessions, one-to-one NAT is normally used with multiple external IPs added to an IP pool.

In this example, you enable one-to-one NAT by enabling the fixed port option in a security policy and adding an IP pool containing three IP addresses: 172.20.120.[13-15]. The fixed port option is enabled from the CLI so this entire example is configured from the CLI.

1 Enter the following command to add the IP pool:

config firewall ippool

edit Dynamic-Source

set startip 172.20.120.13

set endip 172.20.120.15

end

2 Enter the following command to add a security policy that allows users on the private network to access the Internet.

config firewall policy

edit 0

set srcintf internal

set srcaddr all

set dstintf wan1

set dstaddr all

set schedule always

set service ANY

set action accept

set nat enable

set fixedport enable

set ippool enable

set poolname Dynamic-Source

end

If you edit this policy from the web‑based manager, you will notice that the Fixed Port option is visible and is selected.

Resetting a lost Fortigate Admin Password